Deconstructing the Defacer Challenge Hoax/FUD

Richard Forno, Brian Martin

Sat Jul 12 17:18:32 EDT 2003

On June 21, 2003, a small web site was created to harnass the competitive
nature of the defacing community by holding a contest of computer vandalism.
Several computer security companies took this event as an opportunity to whore
themselves out to any media outlet that might listen; once again
blowing an event of questionable origins and dubious consequences way out of
proportion. Their claims ranged from the event being capable of disrupting internet traffic
to it causing tens of thousands of defacements and posing a serious threat
to internet security. Yet, rather than teach the public, industry, and
policymakers anything about security, it taught
us another lesson in the power of FUD (Fear, Uncertainty, and Doubt) and
the scare tactics that security companies will use to make a quick buck.

Again. These folks have no clue about security. Or shame. Or both.

As such, we decided to craft a counter-hype message and attempt to subvert
this latest FUD attack -- one that we know soon will be quoted on Capitol
Hill and the security industry as yet another compelling reason to enact
"strong" information security policies and practices while selling products
and services designed to prevent such "dangers" from ever occuring again. In
their quest to look like effective policymakers by trying to develop a
"digital defense" for the nation, count on seeing clue-deprived politicos
discussing how this "Defacers' Challenge" ranks right up there in baseless,
unfounded, but oft-hyped global cybersecurity concerns just like hacking the
FAA to crash airplanes (yeah, right), a new "cyberwar" between college
students in different countries when one side can't download their porn
fast enough from the other, or when the next major Windows
worm/virus/feature reveals itself. Forget rational thinking and critical
analysis; if something sounds scary enough, it's good enough for Congress
to hold hearings on...stay tuned for them, they're not far off!

Attrition has monitored the website defacement "scene" for 3 years and we
immediately became suspicious of the speed that this "event" began to
proliferate in the news media and industry marketing propaganda. Several
of the recognized security professionals we've associated with on research
projects over the years agreed, and the idea to try and bring the sheer
lunacy of this "event" to public light in an innovative way was born.

There was absolutely no reason why this "challenge" should have received the
widespread public attention it did. Five or ten years ago - during the
early days of the commercial internet, when everyone was still figuring out
what it all meant and how it worked - perhaps we'd be more understanding,
but now that the commercial internet is a part of everyday life and
countless vendors are offering to help defend oneself, there's no excuse
for the histrionics and paranoia we saw during this "event." (To their
credit, some recognized entities - such as Symantec and the Department of
Homeland Security - did not release any statements or alerts on this
contest, and some firms known for generating FUD-filled alerts in the past -
such as TruSecure - did the responsible thing by dispelling the FUD for a
change.)

Nearly anyone who provided alerts or commentary to the media on this item
should have their heads examined, or at the very least question their
ability to be a credible security professional if they really thought this
was a "major" security concern. If a system administrator isn't
peforming their duties on a daily basis - which includes keeping software
patched and properly configured, monitoring log files, turning off
un-necessary network services, and such - or if a CIO isn't enforcing strong
IT management procedures, they have no business being employed in such a
critical role for our large enterprises.
Yet nobody's ever held accountable for poor system security and bad system
administration practices - no CIO or system administrator's been fired or
called to testify on why their site was compromised, or why they're being
forced to use substandard, repeatedly exploitable software products that
make it easy for anyone to cause mischief on the Net. Until these root
problems are fixed (and "Trustworthy Computing" isn't necessarily the right
answer) it's likely this situation will continue unabated.

As the talking points on our "defacement" page stated, there were any number
of (quite) obvious hints and indications that this was not the start of
that alleged "Digital Pearl Harbor" that the clueless idiots in Washington
and the security "intelligence" industry are prophesizing, or a major
internet attack launched by any number of nefarous evildoers, but either an
elaborate hoax or nothing more than bald-balled kiddies looking for
mischief during their summer breaks from school. Had the media and
"experts" done their homework - or exercised a modicum of common sense and
used a few processor cycles worth of analysis - they'd have realised this
"Challenge" was nothing to loose sleep over. Hell, the Internet had as much
of a chance of failing - or significant economic damages occuring - as John
Ashcroft has seeking out and being welcomed into a Vegas brothel during
DefCon next week.

But these quite obvious clues generally went unnoticed, since the story was
a fantastic way to spice up an otherwise slow news week before the
Independence Day holiday. Besides, Iraq is becoming embarassing, and nobody
wants to talk about what's going on in Afghanistan right now, so why not
spin up a spooky story about a potential Digital Armageddon?

We figured it out -- why didn't they?

Because fear sells "news" stories full of half-truths and speculation, and
profitable security products, neither of which we at Attrition care to do.
Real security experts know that conducting effective information security
programs requires technical competency and the ability to think
independently and make one's own decisions -- neither of which we saw during
the run-up to this "event." Nearly all those running around in public
forums in recent days - security experts, industry spokespeople, and
politicians - showed just how clueless they are about internet security by
spreading the FUD to anyone within earshot, failing to question the hype,
and either proposing (or actually taking) emergency steps to prepare to
repel the "attack" when it happened.

The fact that security vendors issued marketing press releases offering
their executives for interviews and soundbytes during this event clearly
shows they're more concerned with using such events for free advertising
than in the best interests, safety, and security of the internet community.
How very whorish. But not entirely unexpected.

The more things change, the more they stay the same. Security will never
improve until the wetware found in the media, security industry, and the
national policy process get a serious upgrade.

Besides, telling the truth, explaining reality, and educating the masses in
a manner that enables them to function more for themselves just isn't
profitable. It works the same in politics, religion, business, and the
information security community.

So, what lessons did you learn from this event?

Timeline of events related to the "Defacers Challenge" fiasco.

Jun 21, 2003: DOMAIN: DEFACERS-CHALLENGE.COM created

It is unclear when the challenge information was put up on the site. We know it occured
after Jun 21 and before Jul 02.

The contest awards a point for every Windows systems defaced, two points for a Unix,
Linux or BSD system, three points for any system running IBM's AIX, and five points
for an HP-UX system or Apple Computer OS X system.

The advisory warns that "all publicly accessible web sites on all platforms" are affected by
this thread. Interestingly, the agency felt obligated to post a cyber-security
alert, but didn't feel it warranted a change in its cyber-alert warning
level. One would think if an alert was generated, the warning level would
be changed. What good's the color-coded alert scheme if you're not going to
use it? The NYS alert also reassures readers that it will "post additional
details as they become available" -- but now, one week later, where are
these "additonal details?" Are they that slow in updating their website?

Robert Lemos follows up on the story regarding the Defacers Challenge. The basis of the article appears
to stem from an Internet Security Systems (ISS) "advisory" sent to media outlets warning of the
challenge and impending attacks. ISS and Zone-H confirm defacements are down prior to the attack, meaning
"vandals had taken the contest seriously", while security company Symantec saw no signs of increased
scanning. Preatoni (Founder of Zone-H) added that Zone-H expects to record between 20,000 and
30,000 Web site defacements during the contest.

G00db0y of Zone-H release their own article about the contest, interjecting a dose of
rational thinking as well as their own style of FUD. While they explain how a defacment occurs and
why it wouldn't "disrupt the Internet", they go on say that based on "rumors" they
forecast "an amount of attacks starting from anywhere around 20.000 and up".

Associated Press follows up with this more in depth article, once again quoting ISS as the only source
for these attacks that would cause concern. Symantec still counters ISS claims reporting no
suspicious activity to support these allegations.

Edward Hurley covers the story harvesting snippets from the other articles it appears. Not only does he
mention hackers "disrupt[ing] Internet activity", he gives two quotes from ISS that seem to contradict each other.
The article quotes ISS saying it will be "a hard one to predict" regarding the "onslaught of Web defacements", then
quotes ISS again clearly saying "major activity won't publicly surface until .. July 6". Did everyone
forget that ISS spammed out a press release to news outlets warning of the upcoming attacks? If it was so hard
to predict, why the need to mail every news outlet saying it would happen. This is an obvious attempt
to make the story more dramatic than it is.

Jul 04, 2003: DOMAIN: DEFACER-CHALLENGE.COM created

As is common, a "misspelled" domain is created by a cybersquatter
to try and generate additional hits (or revenue) to/from their website when
users mistype the URL to the intended website. In this case, the page put
up advertises pornography and has three pop up windows when you attempt to
close the page.

"Correspondents in Washington" release this FUD filled article claiming "ISS and other leading consultants
issued international warnings". Makes one question what ISS is leading in, security or pushing FUD. They go on
to quote Zone-H as saying "hackers have all the necessary equipment and skills to carry out the threatened
challenge in a few seconds."

While Mercury News is lagging, Reuters is giving early news indicating the challenge was pedestrian at best. Filed at
9:15 AM seems premature given that the challenge was extended. But they got the scoop!

Regular amounts of defaced web sites are reported, yet Allor of ISS still tries to justify all the hype
by claiming "We at least knew it was coming". Of course, the same amount of sites are defaced every weekend,
it was a forgone conclusion it was coming.

Jul 07, 2003: Contest has ended.

SyS64738 of Zone-H describes what happened on Sunday during the contest. Interesting to note
that Zone-H says "Nothing would have happened, if only the media didn't pay so much attention
turning a non- case into something useful to fill the empty summer newspapers." Yet, in a previous
article they were quoted as predicting up to 20,000 defacements, far more than usual, which
would make this a "case". They further add dramatic words by calling the 6th "the messiest
day in the whole Internet history."

Thomas Greene mocks FedCIRC and mi2g for fearmongering, then asks "whose hoax was it?" Green's first idea is
that Zone-H could be involved, then the sites (including attrition.org) that defaced themselves to
mock the whole ordeal. While the idea of a hoax is interesting and amusing, it is equally absurd to think
sites that lash out at FUD based news would invent their own news as a conduit to further complain about FUD
news. But logic never stopped a good alternate angle on a story when editors are pressuring you, right?

Middleton and Thomson sum up the event and bring attention to the fact it may have been over hyped
by "security specialists". While it is true that ISS hyped this up from day one, it took the media reporting
on it for it to work.

"In the end, its amazing how a single website, can cause such dramatic media hype, fear, and wild speculation in a little less
than 5 days. There certainly seems more to this story than has yet been revealed."

Middleton and vnunet report on the flopped contest. In the end, Zone-H shows it's true side of
being a security company first and foremost, not a fully neutral observer of computer crime.
"A good word from our side to all those security companies that issued an alert. A bad word to
all those who underestimated the case."

Unfortunately, several entities opted to push this event as a more serious threat
than it really was. Instead of treating it like any other weekend chock full of defacements,
they released advisories or spammed news outlets angling for their own sound bites, attempting
to cash in on the fear. While notifying customers seems to be a responsible thing to do,
using it as a vehicle to sell additional services or the latest upgrade is irresponsible
and cheap. For companies that felt the need to mail every major news outlet warning
of the impending chaos/doom, they compromise their business ethics in search of a
fast buck or free advertising.

In addition to the above: iDefense contacted journalists offering expert advice,
Interland warned customers to backup and that their own servers
would be offline, Keynote offered expert advice on how it
may affect Internet traffic, Foundstone assured media outlets
they were protecting you so that you could "focus on the fireworks, rather than their networks",
and Rainbow offered expert commentary on how sites are hacked.